package com.greate.community.config;

import com.greate.community.entity.Permission;
import com.greate.community.service.master.RBACService;
import com.greate.community.util.CommunityConstant;
import com.greate.community.util.CommunityUtil;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.security.web.access.AccessDeniedHandler;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.io.PrintWriter;
import java.util.List;

@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter implements CommunityConstant {

    @Autowired
    private RBACService rbacService;

    /**
     * 静态资源
     * @param web
     * @throws Exception
     */
    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers("/resources/**");
    }

    // 认证环节我们使用自己的代码 LoginController，绕过 Spring Security 的


    /**
     * 授权
     * @param http
     * @throws Exception
     */
    @Override
    protected void configure(HttpSecurity http) throws Exception {

        //获得要认证的请求
        ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry
                authorizeRequests = http.authorizeRequests();
        //然后在数据库中读出需要权限的请求放入 authorizeRequests中
        List<Permission> allPermission = rbacService.getAllPermission();
        if (allPermission!=null &&allPermission.size()>0){
            allPermission.forEach(e->{
                System.out.println(e.getUrl());
                authorizeRequests.antMatchers(e.getUrl()).hasAnyAuthority(e.getPermTag());
            });
        }

        //其他放行
        http.authorizeRequests().anyRequest().permitAll()
        .and().csrf().disable();

//        http.authorizeRequests()
//                .antMatchers(
//                    "/user/setting",
//                        "/user/upload",
//                        "/discuss/add",
//                        "/discuss/publish",
//                        "/comment/add/**",
//                        "/letter/**",
//                        "/notice/**",
//                        "/like",
//                        "/follow",
//                        "/unfollow"
//                )
//                .hasAnyAuthority(
//                        AUTHORITY_USER,
//                        AUTHORITY_ADMIN,
//                        AUTHORITY_MODERATOR
//                )
//
//                .antMatchers(
//                        //只有博主才能进行进行这些操作
//                    "/discuss/top",
//                        "/discuss/wonderful"
//                )
//                .hasAnyAuthority(
//                        AUTHORITY_MODERATOR
//                )
//
//                .antMatchers(
//                        //只有管理员才具有的操作
//                        "/discuss/delete",
//                        "/discuss/delete/",
//                        "/data/**"
//                )
//                .hasAnyAuthority(
//                        //只有管理员能删除？
//                        AUTHORITY_ADMIN
//                )
//
//                .anyRequest().permitAll()
//
//                .and().csrf().disable();

        // 权限不够时的处理
        http.exceptionHandling()
                // 1. 未登录时的处理 未通过认证
                .authenticationEntryPoint(new AuthenticationEntryPoint() {
                    @Override
                    public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException e) throws IOException, ServletException {
                        String xRequestedWith = request.getHeader("x-requested-with");
                        if ("XMLHttpRequest".equals(xRequestedWith)) {
                            // 异步请求
                            response.setContentType("application/plain;charset=utf-8");
                            PrintWriter writer = response.getWriter();
                            writer.write(CommunityUtil.getJSONString(403, "你还没有登录"));
                        }
                        else {
                            // 普通请求
                            response.sendRedirect(request.getContextPath() + "/login");
                        }
                    }
                })
                // 2. 权限不够时的处理
                .accessDeniedHandler(new AccessDeniedHandler() {
                    @Override
                    public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException e) throws IOException, ServletException {
                        String xRequestedWith = request.getHeader("x-requested-with");
                        if ("XMLHttpRequest".equals(xRequestedWith)) {
                            // 异步请求
                            response.setContentType("application/plain;charset=utf-8");
                            PrintWriter writer = response.getWriter();
                            writer.write(CommunityUtil.getJSONString(403, "你没有访问该功能的权限"));
                        }
                        else {
                            //返回异常信息
                            response.setContentType("text/html;charset=utf-8");

                            response.getWriter().print("<script>alert('你没有访问该功能的权限！强制退出'); window.location.href='http://localhost:8080/index';</script>");
                            // 普通请求
//                            response.sendRedirect(request.getContextPath() + "/denied");
                        }
                    }
                });

        // Security 底层会默认拦截 /logout 请求，进行退出处理
        // 此处赋予它一个根本不存在的退出路径，使得程序能够执行到我们自己编写的退出代码
        http.logout().logoutUrl("/securitylogout");

        http.headers().frameOptions().sameOrigin();
    }
}
